NXT :: descendant of Bitcoin - Updated Information

[opticalcarrier]

What's hash comparison ? the hash of the authentic file ?

This guide 'll help you.

I understand about comparing hash. But I can't locate the  hash of the authentic file ? is the hash from the first page of this thread good ?

http://info.nxtcrypto.org/nxt-client-0-4-8-released/

You 'll find SHA256 sum provided by developer with every release of NXT Client.

Compare it with a hash of downloaded file.

yes, but would be smart to do external verify of checksum in this thread.  So info/www/forums site should provide a link back to the post here that announces the new client and its checksum

[utopianfuture]

What's hash comparison ? the hash of the authentic file ?

This guide 'll help you.

I understand about comparing hash. But I can't locate the  hash of the authentic file ? is the hash from the first page of this thread good ?

http://info.nxtcrypto.org/nxt-client-0-4-8-released/

You 'll find SHA256 sum provided by developer with every release of NXT Client.

Compare it with a hash of downloaded file.

Looks good, the download file and its hash in the font page of this thread is safe also. Thanks Intel, It is good to learn these things.

[fehen]

NXT episode-32 [ opoZdun ] EN
http://youtu.be/DZpf_he41vc

-------------------------------------

true today
NXT episode-33 Crazy [ aTTack ]  EN
http://youtu.be/WDK53ly-6Pw
 
Support for the work and to "further figachit"

NXT - 5708493317559318384
 

[pandaisftw]

What I think everyone missed about this security thing is that c-f-b mentioned that this can easily be fixed client-side: e.g. a 3rd party client (perhaps the one in development by nexern), can take your particular passphrase and run it through SHA256 (or whatever hash function you want to use) and uses that to generate your account number.

No need to modify anything in the base code. We can even implement wallet.dat files client-side, for increased security (public + private keys can be generated by the client), if the user so desires.

EDIT: This gives NXT users the unique choice of a) using NRS and generating their own complex 30+ char passphrase, so they can use their account anywhere in the world through brainwallet or b) simpler security for average users, but you have to go through a hashfunction/particular client if you want to access your account.

[xibeijan]

Do you think NXT value will reach $1 this year? is it a realistic prediction?

Your prediction is extremely conservative.

+1

[NxtChg]

The server (the java process) stores the user secret phrase for as long as your account is unlocked. But there is no API request that you can make to force it to use that phrase for sending money, unless you also send the secret phrase in the request again.

That's what I thought. So if there is a bug or an exploit it is quite possible that the client can be instructed to send money. Not via API, but via some exploitable hole.

And again, since it's open to the world and its IP is well known, this is scary.

So to be sure a big account has to be locked most of the time, but this means it won't generate any blocks and won't get any fees, correct?

I didn't like that and this is why I removed that possibility and added the requirement for secret phrase on the send money dialog too.

That was a good addition, thanks.

[Come-from-Beyond]

And again, since it's open to the world and its IP is well known, this is scary.

Access to API and interface is blocked by default. Someone has to edit web.xml and put * into allowedUserHosts and allowedBotHosts.

[Jean-Luc]

The server (the java process) stores the user secret phrase for as long as your account is unlocked. But there is no API request that you can make to force it to use that phrase for sending money, unless you also send the secret phrase in the request again.

That's what I thought. So if there is a bug or an exploit it is quite possible that the client can be instructed to send money. Not via API, but via some exploitable hole.

And again, since it's open to the world and its IP is well known, this is scary.

So to be sure a big account has to be locked most of the time, but this means it won't generate any blocks and won't get any fees, correct?

Yes. But PaulyC was not running a big account with a well-known and hallmarked IP, right?

We should focus on finding out how his account was hacked. It is not likely to be a remote exploitable hole exactly because it was not a big public node. I mine on a machine with a public IP that is on almost all the time with an account of a few million, why wasn't I attacked? I just don't think it is a remote exploit at work here. More likely something in his browser or computer. A javascript cross-site scripting exploit? Was he browsing any other sites at the moment, possibly Nxt - related?

[bitcoinpaul]

I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

While I may give PaulyC the benefit of doubt, it can't be ruled out that it is a legit transaction authorized by PaulyC himself.

What about this?

Nobody?

[NxtChg]

Yes. But PaulyC was not running a big account with a well-known and hallmarked IP, right?

As I understand, this applies to all machines, not only big, hallmarked nodes, right?

And since exploits usually depend on a particular environment, they might not work in all cases.

So some bot scans the network and tries this exploit on every machine it can find.
In some particular combination of OS/soft it works. Boom, money stolen.

[Come-from-Beyond]

Yes. But PaulyC was not running a big account with a well-known and hallmarked IP, right?

As I understand, this applies to all machines, not only big, hallmarked nodes, right?

And since exploits usually depend on a particular environment, they might not work in all cases.

So some bot scans the network and tries this exploit on every machine it can find.
In some particular combination of OS/soft it works. Boom, money stolen.

Let's just ask PaulyC if his computer was accessible from the Internet (no NAT, ports r open). PaulyC?

[NxtChg]

Also, some detailed logging should probably be implemented, precisely to quickly check this sort of thing.

User says money stolen - ask to send his log.

[S3MKi]

Hack account spoils nxt's release

[swartzfeger]

I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

While I may give PaulyC the benefit of doubt, it can't be ruled out that it is a legit transaction authorized by PaulyC himself.

What about this?

Nobody?

I don't understand why more isn't being made of this. Sorry, that came off wrong... it's the new year, we're all busy, etc.

I grok 1% of the technicals of NXT. And no distrust intended for PaulyC, but Occam's Razer tells me "PaulyC- xfer-->new account".

What's stopping me from coming in here crying "all 7091 of my NXT have been **HACKED**! Here's the address it went to." We have no way of knowing if I have the passphrase for the second account. Right?

edit: am I missing part of the story/salient data here?

[S3MKi]

Hack account spoils nxt's release

NOT in my eyes!   

what about new investors?

[laowai80]

Hack account spoils nxt's release

No, it doesn't.
There'll be many more theft cases, just like in bitcoin, just like in banks, just like in anything in life.
Human factor is usually the weakest link in any best designed system, and is accountable for 90-ish% of all crime cases.

[Passion_ltc]

https://nextcoin.org/index.php/topic,1959.0.html

Please say what service you want to see!

[Come-from-Beyond]

96.236.149.74 leeched more than 18 GiB of data... Anyone sees this zombie in their active peers? What r the numbers?

[laowai80]

96.236.149.74 leeched more than 18 GiB of data... Anyone sees this zombie in their active peers? What r the numbers?

nope, apparently your bandwidth tastes the best to that zombie )

[marcus03]

Maybe the announcement for new client releases can be in this thread with the sha256 checksum and a link to those 3 downloads, then someone at admin/forums/www can then update the sites with the sha256 info?

What about putting the sha256 checksum into the block chain? The NXT software could then update itself.